On 15/01/11 00:19, Warren Togami Jr. wrote:
On 01/14/2011 01:09 PM, Ned Slider wrote:
On 14/01/11 21:04, Warren Togami Jr. wrote:
Anyone else have effective local rules? Please let me know and I'll put
them into the nightly masscheck for testing.
Warren
header NSL_RCVD_HELO_USER Received =~ /helo[= ]user\)/i
describe NSL_RCVD_HELO_USER Received from HELO User
Might want to combine into a meta rule with existing NSL_RCVD_FROM_USER
rule:
header NSL_RCVD_FROM_USER Received =~ /from User [\[\(]/
describe NSL_RCVD_FROM_USER Received from User
The above are particularly effective (here) against 419 / bank phish
type emails sent from compromised webmail accounts. Hit rate is not
great, but the FP count is near zero.
Regards,
Ned
Thanks Ned,
Both of the above rules are already in
trunk/rulesrc/sandbox/jhardin/20_misc_testing.cf.
http://ruleqa.spamassassin.org/20110114-r1058896-n/NSL_RCVD_FROM_USER/detail
0.5% spam hit rate, and some ham hits, however they are all in the
ancient enron corpus that we will soon be removing.
http://ruleqa.spamassassin.org/20110114-r1058896-n/T_NSL_RCVD_HELO_USER/detail
Very few spam hits, and a number of ham hits but all in DOS's corpus.
Perhaps we should ask him if they really are ham?
Could you please describe how these rules work, and why the combination
of them would be useful?
Ah sorry, I meant to OR them in a meta rule:
The idea behind these rules originates from a discussion on the old
SpamL list around a year ago. They hit against a webmail -> smtp
injection point typically seen in compromised webmail accounts. Because
they are so specific, some speculated this must be unique to only a few
webmail packages. So we are simply looking back at (typically) the first
Received header for strings like:
Received: from User ([85.153.20.122])
Received: from User (unknown [200.138.162.23])
Received: from User (unverified [77.250.43.54]) by mail.hotspace.com.au
or
Received: from unknown (HELO User) (124.124.1.228)
Received: from [62.172.163.253] (account t...@kievnet.com.ua HELO User)
Received: from [75.137.153.140] (helo=User)
Received: from [71.82.50.143] ([71.82.50.143:4150] helo=User)
In a year of running them locally I've never seen them hit on a ham
message. They appear to hit quite well for me because I pre-filter 95%+
of my spam at the smtp level (greylisting, HELO checks, spamhaus etc) so
SA only gets to see the difficult to catch stuff which might inflate the
percentage hits. As I said, they typically hit against bank phish sent
from compromised accounts on legit servers hence why they make it
through greylisting and many DNSBLs.
In my corpus of 3402 spam I see NSL_RCVD_FROM_USER hit 604 (17.8%) and
NSL_RCVD_HELO_USER hit 181 (5.3%). As there is (virtually?) no overlap,
that's a combined hit rate of ~23%, the vast majority of which I would
bet is bank phish. That is why I say these rules perform well for me -
once you take out the spam that's trivial to filter (spambot spam), the
hit rate against the remaining spam goes up.
NSL_RCVD_FROM_USER already has a score.
It appears that the combination of the two rules will be zero masscheck
FP's, but a maximum of 0.1% spam hits. I suppose this is worthwhile for
a night of testing, but I suspect it will be too small?
Warren
